Re: unwind and split-horizon DNS
On Fri, Nov 29, 2019 at 07:02:27AM +0100, Björn Ketelaars wrote:
> On Thu 28/11/2019 16:16, Otto Moerbeek wrote:
> > On Thu, Nov 28, 2019 at 03:26:34PM +0100, Otto Moerbeek wrote:
> >
> > > Hi,
> > >
> > > In many offices, split horizon DNS is used. This means that if you are
> > > in the office you are supposed to use a specific resolver that will
> > > hand out different results than when asking for the same name on the
> > > rest of the internet.
> > >
> > > Until now unwind could not really handle that, e.g. in recursing mode,
> > > it would produce the view as from outside of the office.
> > >
> > > With this diff, it becomes possible to force using a specific resolver
> > > when resolving names in specific domains.
> > >
> > > For example, with this unwind.conf:
> > >
> > > # Office forwarder
> > > forwarder 1.2.3.4
> > > force forwarder {
> > > myoffice.com
> > > dmz.colocation.com
> > > }
> > >
> > > This will make unwind always use the mentioned forwarder for anything
> > > under office.com or dmz.colocation.com. If the forwarder is dead,
> > > regular resolving is done for these names and www.office.com will
> > > likely return the external address.
> > >
> > > Often split-horizon DNS breaks DNSSEC for these specific domains. If
> > > that is the case, you can use
> > >
> > > force acceptbogus forwarder {
> > > ...
> > > }
> > >
> > > please test this,
> > >
> > > -Otto
> > >
> > > OAIndex: frontend.c
> >
> > Dont know hwre that OA is comming from. But it confuses patch, making
> > it skip first part of the diff. Proper diff below:
>
> @Home I'm redirecting all DNS requests to a machine with unbound serving
> a couple of local-zones. unwind didn't work for me as these local-zones
> would not resolve because of DNSSEC. With your diff, and the config
> below unwind works perfect.
>
> forwarder 10.0.0.1
> force acceptbogus forwarder {
> lan
> }
>
> I experienced no regression while using the free wifi service of the
> Dutch railways, which is known to do strange things with DNS.
Thanks for testing. The Dutch railways have been a great inspiration
to unwind work, as florian@ can telll you :-)
-Otto
Re: unwind and split-horizon DNS
On Thu 28/11/2019 16:16, Otto Moerbeek wrote:
> On Thu, Nov 28, 2019 at 03:26:34PM +0100, Otto Moerbeek wrote:
>
> > Hi,
> >
> > In many offices, split horizon DNS is used. This means that if you are
> > in the office you are supposed to use a specific resolver that will
> > hand out different results than when asking for the same name on the
> > rest of the internet.
> >
> > Until now unwind could not really handle that, e.g. in recursing mode,
> > it would produce the view as from outside of the office.
> >
> > With this diff, it becomes possible to force using a specific resolver
> > when resolving names in specific domains.
> >
> > For example, with this unwind.conf:
> >
> > # Office forwarder
> > forwarder 1.2.3.4
> > force forwarder {
> > myoffice.com
> > dmz.colocation.com
> > }
> >
> > This will make unwind always use the mentioned forwarder for anything
> > under office.com or dmz.colocation.com. If the forwarder is dead,
> > regular resolving is done for these names and www.office.com will
> > likely return the external address.
> >
> > Often split-horizon DNS breaks DNSSEC for these specific domains. If
> > that is the case, you can use
> >
> > force acceptbogus forwarder {
> > ...
> > }
> >
> > please test this,
> >
> > -Otto
> >
> > OAIndex: frontend.c
>
> Dont know hwre that OA is comming from. But it confuses patch, making
> it skip first part of the diff. Proper diff below:
@Home I'm redirecting all DNS requests to a machine with unbound serving
a couple of local-zones. unwind didn't work for me as these local-zones
would not resolve because of DNSSEC. With your diff, and the config
below unwind works perfect.
forwarder 10.0.0.1
force acceptbogus forwarder {
lan
}
I experienced no regression while using the free wifi service of the
Dutch railways, which is known to do strange things with DNS.
typo fix in csh/file.c
spotted when reading code.. -- cvs diff: Diffing . Index: file.c === RCS file: /home/nayden/cvsync/src/bin/csh/file.c,v retrieving revision 1.38 diff -u -p -r1.38 file.c --- file.c 28 Jun 2019 13:34:58 - 1.38 +++ file.c 29 Nov 2019 04:24:09 - @@ -726,7 +726,7 @@ is_prefix(Char *check, Char *template) /* * Return true if the Chars in template appear at the - * end of check, I.e., are it's suffix. + * end of check, I.e., are its suffix. */ static int is_suffix(Char *check, Char *template) cvs diff: Diffing USD.doc
Re: at(1): subtraction is not comparison
OK millert@ - todd
at(1): subtraction is not comparison
ok? Index: at.c === RCS file: /cvs/src/usr.bin/at/at.c,v retrieving revision 1.82 diff -u -p -r1.82 at.c --- at.c28 Jun 2019 13:35:00 - 1.82 +++ at.c29 Nov 2019 02:50:28 - @@ -378,7 +378,7 @@ byctime(const void *v1, const void *v2) const struct atjob *j1 = *(const struct atjob **)v1; const struct atjob *j2 = *(const struct atjob **)v2; - return (j1->ctime - j2->ctime); + return (j1->ctime < j2->ctime) ? -1 : (j1->ctime > j2->ctime); } /* Sort by job number (and thus execution time). */
Add __func__ to panic() and printf() calls in sys/netinet6/*
Hello,
A mostly mechanical diff that makes use of __func__ in place of
hardcoded function names in panic() and printf() calls.
If someone is working in netinet6 and this change will trample
your work please let me know and I'll hold off.
ok?
Index: icmp6.c
===
RCS file: /home/nayden/cvsync/src/sys/netinet6/icmp6.c,v
retrieving revision 1.229
diff -u -p -r1.229 icmp6.c
--- icmp6.c 25 Dec 2018 19:28:25 - 1.229
+++ icmp6.c 17 Jan 2019 03:50:22 -
@@ -225,7 +225,7 @@ icmp6_mtudisc_callback_register(void (*f
mc = malloc(sizeof(*mc), M_PCB, M_NOWAIT);
if (mc == NULL)
- panic("icmp6_mtudisc_callback_register");
+ panic("%s", __func__);
mc->mc_func = func;
LIST_INSERT_HEAD(&icmp6_mtudisc_callbacks, mc, mc_list);
Index: in6_pcb.c
===
RCS file: /home/nayden/cvsync/src/sys/netinet6/in6_pcb.c,v
retrieving revision 1.109
diff -u -p -r1.109 in6_pcb.c
--- in6_pcb.c 17 Oct 2019 00:51:28 - 1.109
+++ in6_pcb.c 11 Nov 2019 06:18:42 -
@@ -376,8 +376,8 @@ in6_pcbnotify(struct inpcbtable *table,
return (0);
if (IN6_IS_ADDR_V4MAPPED(&dst->sin6_addr)) {
#ifdef DIAGNOSTIC
- printf("Huh? Thought in6_pcbnotify() never got "
- "called with mapped!\n");
+ printf("%s: Huh? Thought we never got "
+ "called with mapped!\n", __func__);
#endif
return (0);
}
Index: ip6_divert.c
===
RCS file: /home/nayden/cvsync/src/sys/netinet6/ip6_divert.c,v
retrieving revision 1.59
diff -u -p -r1.59 ip6_divert.c
--- ip6_divert.c4 Feb 2019 21:40:52 - 1.59
+++ ip6_divert.c15 Feb 2019 12:46:55 -
@@ -301,7 +301,7 @@ divert6_usrreq(struct socket *so, int re
break;
default:
- panic("divert6_usrreq");
+ panic("%s", __func__);
}
release:
Index: ip6_input.c
===
RCS file: /home/nayden/cvsync/src/sys/netinet6/ip6_input.c,v
retrieving revision 1.219
diff -u -p -r1.219 ip6_input.c
--- ip6_input.c 21 Aug 2019 15:32:18 - 1.219
+++ ip6_input.c 27 Nov 2019 17:22:30 -
@@ -144,7 +144,7 @@ ip6_init(void)
pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
if (pr == NULL)
- panic("ip6_init");
+ panic("%s", __func__);
for (i = 0; i < IPPROTO_MAX; i++)
ip6_protox[i] = pr - inet6sw;
for (pr = inet6domain.dom_protosw;
@@ -1204,7 +1204,7 @@ ip6_nexthdr(struct mbuf *m, int off, int
/* just in case */
if (m == NULL)
- panic("ip6_nexthdr: m == NULL");
+ panic("%s: m == NULL", __func__);
if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
return -1;
Index: ip6_output.c
===
RCS file: /home/nayden/cvsync/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.244
diff -u -p -r1.244 ip6_output.c
--- ip6_output.c10 Jun 2019 16:32:51 - 1.244
+++ ip6_output.c27 Nov 2019 17:24:15 -
@@ -174,7 +174,7 @@ ip6_output(struct mbuf *m0, struct ip6_p
#ifdef IPSEC
if (inp && (inp->inp_flags & INP_IPV6) == 0)
- panic("ip6_output: IPv4 pcb is passed");
+ panic("%s: IPv4 pcb is passed", __func__);
#endif /* IPSEC */
ip6 = mtod(m, struct ip6_hdr *);
@@ -295,7 +295,7 @@ ip6_output(struct mbuf *m0, struct ip6_p
*/
if (exthdrs.ip6e_dest2) {
if (!hdrsplit)
- panic("assumption failed: hdr not split");
+ panic("%s: assumption failed: hdr not split",
__func__);
exthdrs.ip6e_dest2->m_next = m->m_next;
m->m_next = exthdrs.ip6e_dest2;
*mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt;
@@ -1761,7 +1761,7 @@ ip6_getpcbopt(struct ip6_pktopts *pktopt
break;
default:/* should not happen */
#ifdef DIAGNOSTIC
- panic("ip6_getpcbopt: unexpected option");
+ panic("%s: unexpected option", __func__);
#endif
return (ENOPROTOOPT);
}
Index: nd6.c
===
RCS file: /home/nayden/cvsync/src/sys/netinet6/nd6.c,v
retrieving revision 1.228
diff -u -p -r1.228 nd6.c
--- nd6.c 7 Nov 2019 11:23:24 - 1.228
+++ nd6.c 11 Nov 2019 06:18:42 -
@@ -177,7 +177,7 @@ nd6_option(union nd_opts *ndopts)
int olen;
if (!ndopts)
- panic("ndopts == NULL in nd6_option");
+ panic("%s: ndopts == NULL", _
Re: syscall call-from verification
Miod Vallat wrote: > > For dynamic binaries, valid regions are ld.so's text segment, the signal > > trampoline, and libc.so's text segment... AND the main program's text. > > > > Unfortunately our current go build model hasn't followed solaris/macos > > approach yet of calling libc stubs, and uses the inappropriate "embed > > system calls directly" method, so for now we'll need to authorize the main > > program text as well. A comment in exec_elf.c explains this. > > > > If go is adapted to call library-based system call stubs on OpenBSD as > > well, this problem will go away. There may be other environments creating > > raw system calls. I guess we'll need to find them as time goes by, and > > hope in time we can repair those also. > > Or you could use an ELF note to flag binaries allowed to issue syscalls > from their text section: only static binaries (including ld.so) and go > binaries would need them. Imagine a ld.so without the flag. The kernel starts a userland process running there. So ld.so must be able to issue system calls Imagine a static binary without the flag. It would fail. The kernel can alreayd identify these circumstances, and does not need a flag. The only special case is libc.so. We discussed adding a linker option to add a note to libc. And then build tooling to add the flag for libc. And then ld.so identification of this note. But does it actually matter which way this is done? I fear the option would be abused for other purposes. In the future, why would we want programs doing system calls from other segments? Are there any legitimate compelling reasons to avoid calling the libc stubs? I don't believe so. Especially if those segments are in network facing programs and/or generated on the fly. At worst a nasty JIT can generate code to call & of libc syscall(2) stub with SYS_* symbolic names. That approach remains simple and workable for the developer, but somewhat more difficult for an attacker who not know the relevant locations.
Re: syscall call-from verification
> For dynamic binaries, valid regions are ld.so's text segment, the signal > trampoline, and libc.so's text segment... AND the main program's text. > > Unfortunately our current go build model hasn't followed solaris/macos > approach yet of calling libc stubs, and uses the inappropriate "embed > system calls directly" method, so for now we'll need to authorize the main > program text as well. A comment in exec_elf.c explains this. > > If go is adapted to call library-based system call stubs on OpenBSD as > well, this problem will go away. There may be other environments creating > raw system calls. I guess we'll need to find them as time goes by, and > hope in time we can repair those also. Or you could use an ELF note to flag binaries allowed to issue syscalls from their text section: only static binaries (including ld.so) and go binaries would need them.
Re: syscall call-from verification
Alexander Nasonov wrote: > Theo de Raadt wrote: > > The following change only permits system calls from address-ranges > > in the process which system calls are expected from. > > Just curious if some approximation of pledge can be reimplemented > in userspace with more granular libc.so's text segments? I don't understand the question. Please note a common misconception. Pledge isn't about blocking system calls. Rather, it blocks system behaviours in catagories. A subset of that is done by blocking system calls. A large subset of that is not done by blocking system calls, but instead their actions, based upon the full parameter context. When you suggest granularity you are surely talking about system call blocking, so that ignores parameters, so it is not at all like what pledge does, so you can understand my confusion.
Re: syscall call-from verification
Theo de Raadt wrote: > The following change only permits system calls from address-ranges > in the process which system calls are expected from. Just curious if some approximation of pledge can be reimplemented in userspace with more granular libc.so's text segments? -- Alex
Re: ldomctl: Use scan_scaled(3) for memory in ldom.conf
On Thu, Nov 28, 2019 at 06:12:11PM +0100, Mark Kettenis wrote: > The man page change is not an improvement. How so? Does it lack concrete examples? I'd rather leave a reference to the manual that describes formatas in detail instead of repeating suffices and/or examples. Perhaps add one small example making it obvious that there must be no space between number and the optional suffix? vm.conf(5) does just that by mentioning the default. memory bytes Declare the amount of memory assigned to a domain, in bytes. bytes can be specified with a human-readable scale, using the format described in scan_scaled(3), e.g. 512M. > Last time something like this was tried, it required additional spaces > between numbers and factors. This diff doesn't suffer from that? What was that? I doubt it used scan_scaled(3) because it does not accept spaces between number and suffix, see the manual. All existing configurations continue to work without any change or exception.
Re: ldomctl: status: show console device node
> Date: Thu, 28 Nov 2019 03:48:04 +0100
> From: Klemens Nanni
>
> On Thu, Nov 28, 2019 at 01:05:43AM +0100, Klemens Nanni wrote:
> > With that, the next step is to implement `ldomctl console guest01' in
> > analogy to vmctl(8).
> Here's a complete diff for updating the status output and implementing
> the console command, mainly to ease testing and review. I do want to
> plan those separately, though.
>
> Code and manual wording snatched from vmctl(8).
>
> > Code-wise, the only way to obtain the guest console's minor is to count
> > along as guests are printed; that is because the data strucutures
> > simply do not store this information.
> That's wrong, I just overcomplicated things. `struct guest' has a `gid'
> member which perfectly increments for each guest entry in the global
> `guests' list; a guest id of zero indicates the primary domain as
> already checked/used elsewhere in the code.
>
> > Feedback? OK?
> I've tested this diff on a T4-2 machine with all possible invocations
> of `ldomctl status [domain]' and `ldomctl console [domain]': it always
> prints and attaches to the correct serial console respectively, whether
> I pass an explicit domain or omit it to list all.
ok kettenis@
> Index: ldomctl.8
> ===
> RCS file: /cvs/src/usr.sbin/ldomctl/ldomctl.8,v
> retrieving revision 1.16
> diff -u -p -r1.16 ldomctl.8
> --- ldomctl.8 27 Nov 2019 19:54:10 - 1.16
> +++ ldomctl.8 28 Nov 2019 01:13:47 -
> @@ -34,6 +34,10 @@ information about domains running on the
> .Pp
> The following commands are available:
> .Bl -tag -width Ds
> +.It Cm console Ar domain
> +Using
> +.Xr cu 1
> +connect to the console of the guest domain.
> .It Cm delete Ar configuration
> Delete the specified configuration from non-volatile storage.
> .It Cm download Ar directory
> @@ -148,9 +152,9 @@ The primary domain should have less CPUs
> are now assigned to the guest domains:
> .Bd -literal -offset indent
> # ldomctl status
> -primary running OpenBSD running 1%
> -puffyrunning OpenBoot Primary Boot Loader 8%
> -salmah running OpenBoot Primary Boot Loader 12%
> +primary - running OpenBSD running1%
> +puffy ttyV0 running OpenBoot Primary Boot Loader 8%
> +salmah ttyV1 running OpenBoot Primary Boot Loader 12%
> .Ed
> .Pp
> Configure the
> @@ -166,7 +170,7 @@ This example bridges guest domains into
> .Pp
> Access the console of the first domain and boot it:
> .Bd -literal -offset indent
> -# cu -l ttyV0
> +# ldomctl console puffy
> ok boot disk1
> .Ed
> .Sh SEE ALSO
> Index: ldomctl.c
> ===
> RCS file: /cvs/src/usr.sbin/ldomctl/ldomctl.c,v
> retrieving revision 1.23
> diff -u -p -r1.23 ldomctl.c
> --- ldomctl.c 27 Nov 2019 19:54:10 - 1.23
> +++ ldomctl.c 28 Nov 2019 02:40:14 -
> @@ -57,6 +57,7 @@ void guest_start(int argc, char **argv);
> void guest_stop(int argc, char **argv);
> void guest_panic(int argc, char **argv);
> void guest_status(int argc, char **argv);
> +void guest_console(int argc, char **argv);
> void init_system(int argc, char **argv);
>
> struct command commands[] = {
> @@ -70,6 +71,7 @@ struct command commands[] = {
> { "stop", guest_stop },
> { "panic", guest_panic },
> { "status", guest_status },
> + { "console",guest_console },
> { "init-system", init_system },
> { NULL, NULL }
> };
> @@ -156,14 +158,14 @@ main(int argc, char **argv)
> exit(EXIT_SUCCESS);
> }
>
> -void
> +__dead void
> usage(void)
> {
> fprintf(stderr, "usage:\t%1$s delete|select configuration\n"
> "\t%1$s download directory\n"
> "\t%1$s dump|list|list-io\n"
> "\t%1$s init-system file\n"
> - "\t%1$s panic|start|status|stop [domain]\n", getprogname());
> + "\t%1$s console|panic|start|status|stop [domain]\n", getprogname());
> exit(EXIT_FAILURE);
> }
>
> @@ -451,7 +453,8 @@ guest_status(int argc, char **argv)
> uint64_t total_cycles, yielded_cycles;
> double utilisation = 0.0;
> const char *state_str;
> - char buf[64];
> + char buf[32];
> + char console_str[8] = "-";
>
> if (argc < 1 || argc > 2)
> usage();
> @@ -554,10 +557,44 @@ guest_status(int argc, char **argv)
>
> if (state.state != GUEST_STATE_NORMAL)
> printf("%-16s %-16s\n", guest->name, state_str);
> - else
> - printf("%-16s %-16s %-32s %3.0f%%\n", guest->name,
> -state_str, softstate.soft_state_str,
> -utilisation);
> + else {
> + /* primary has no console */
> + if (guest->gid != 0) {
> + snpr
Re: ldomctl: Use scan_scaled(3) for memory in ldom.conf
> Date: Thu, 28 Nov 2019 17:12:28 +0100
> From: Klemens Nanni
>
> Replace the hand-written routing with a proper library allowing even
> more formats. vmctl(8) does the same, which is also where I took the
> manual wording from.
>
> ldomctl has a local "util.h" which is included by parse.y, so
> compilation would fail to find scan_scaled after including due
> the include paths set in Makefile.
>
> After consulting with mortimer and guenther, the solution is to rename
> the local util.h, so I went with ldom_util.h - this file is reached
> around to from ldomd as well, hence no ldomctl_util.h or so.
>
> ldomctl seems to be the only case where local files conflict with global
> ones; is that the right approach? Do others consider it worth it?
>
> util.h is small and generic, so renaming won't really cause annoyance
> with CVS logs.
>
> Feedback? OK?
The man page change is not an improvement.
Last time something like this was tried, it required additional spaces
between numbers and factors. This diff doesn't suffer from that?
> Index: ldomd/ds.c
> ===
> RCS file: /cvs/src/usr.sbin/ldomd/ds.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 ds.c
> --- ldomd/ds.c20 Oct 2019 16:18:36 - 1.9
> +++ ldomd/ds.c28 Nov 2019 06:01:21 -
> @@ -27,7 +27,7 @@
> #include
>
> #include "ds.h"
> -#include "util.h"
> +#include "ldom_util.h"
>
> void ldc_rx_ctrl_vers(struct ldc_conn *, struct ldc_pkt *);
> void ldc_rx_ctrl_rtr(struct ldc_conn *, struct ldc_pkt *);
> Index: ldomd/ldomd.c
> ===
> RCS file: /cvs/src/usr.sbin/ldomd/ldomd.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 ldomd.c
> --- ldomd/ldomd.c 29 Sep 2019 17:10:00 - 1.9
> +++ ldomd/ldomd.c 28 Nov 2019 06:01:21 -
> @@ -34,7 +34,7 @@
> #include "ds.h"
> #include "hvctl.h"
> #include "mdesc.h"
> -#include "util.h"
> +#include "ldom_util.h"
> #include "ldomd.h"
>
> TAILQ_HEAD(guest_head, guest) guests;
> Index: ldomd/var-config.c
> ===
> RCS file: /cvs/src/usr.sbin/ldomd/var-config.c,v
> retrieving revision 1.2
> diff -u -p -r1.2 var-config.c
> --- ldomd/var-config.c27 Oct 2012 20:51:42 - 1.2
> +++ ldomd/var-config.c28 Nov 2019 06:01:21 -
> @@ -29,7 +29,7 @@
>
> #include "ds.h"
> #include "mdesc.h"
> -#include "util.h"
> +#include "ldom_util.h"
> #include "ldomd.h"
>
> void var_config_start(struct ldc_conn *, uint64_t);
> Index: ldomctl/Makefile
> ===
> RCS file: /cvs/src/usr.sbin/ldomctl/Makefile,v
> retrieving revision 1.10
> diff -u -p -r1.10 Makefile
> --- ldomctl/Makefile 20 Nov 2019 18:11:28 - 1.10
> +++ ldomctl/Makefile 28 Nov 2019 05:59:47 -
> @@ -8,6 +8,8 @@ PROG= ldomctl
> SRCS=ldomctl.c ds.c mdesc.c util.c mdstore.c pri.c config.c parse.y
> CFLAGS+=-Wall
> CFLAGS+=-I${.CURDIR}/../ldomd -I${.CURDIR}
> +LDADD+= -lutil
> +DPADD+= ${LIBUTIL}
>
> .else
>
> Index: ldomctl/config.c
> ===
> RCS file: /cvs/src/usr.sbin/ldomctl/config.c,v
> retrieving revision 1.28
> diff -u -p -r1.28 config.c
> --- ldomctl/config.c 27 Nov 2019 19:54:10 - 1.28
> +++ ldomctl/config.c 28 Nov 2019 05:59:01 -
> @@ -28,7 +28,7 @@
>
> #include "mdesc.h"
> #include "ldomctl.h"
> -#include "util.h"
> +#include "ldom_util.h"
>
> #define LDC_GUEST0
> #define LDC_HV 1
> Index: ldomctl/ldom.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/ldomctl/ldom.conf.5,v
> retrieving revision 1.6
> diff -u -p -r1.6 ldom.conf.5
> --- ldomctl/ldom.conf.5 5 Aug 2019 19:27:47 - 1.6
> +++ ldomctl/ldom.conf.5 28 Nov 2019 04:40:53 -
> @@ -41,10 +41,11 @@ Declare the number of virtual CPUs assig
> Optionally a stride can be specified to allocate additional virtual CPUs
> but not assign them to a domain.
> This can be used to distribute virtual CPUs over the available CPU cores.
> -.It Ic memory Ar number Ns Op Ar unit
> +.It Ic memory Ar bytes
> Declare the amount of memory assigned to a domain, in bytes.
> -Optionally, the units 'K', 'M', or 'G', for kilo-, mega-, and gigabytes
> -can be used.
> +.Ar bytes
> +can be specified with a human-readable scale, using the format described in
> +.Xr scan_scaled 3 .
> .It Ic iodevice Ar path
> Assign the specified PCIe device to the guest domain.
> This keyword can be used multiple times.
> Index: ldomctl/ldom_util.h
> ===
> RCS file: ldomctl/ldom_util.h
> diff -N ldomctl/ldom_util.h
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ ldomctl/ldom_util.h 28 Nov 2019 05:59:01 -
> @@ -0,0 +1,30 @@
> +/* $Ope
ldomctl: Use scan_scaled(3) for memory in ldom.conf
Replace the hand-written routing with a proper library allowing even
more formats. vmctl(8) does the same, which is also where I took the
manual wording from.
ldomctl has a local "util.h" which is included by parse.y, so
compilation would fail to find scan_scaled after including due
the include paths set in Makefile.
After consulting with mortimer and guenther, the solution is to rename
the local util.h, so I went with ldom_util.h - this file is reached
around to from ldomd as well, hence no ldomctl_util.h or so.
ldomctl seems to be the only case where local files conflict with global
ones; is that the right approach? Do others consider it worth it?
util.h is small and generic, so renaming won't really cause annoyance
with CVS logs.
Feedback? OK?
Index: ldomd/ds.c
===
RCS file: /cvs/src/usr.sbin/ldomd/ds.c,v
retrieving revision 1.9
diff -u -p -r1.9 ds.c
--- ldomd/ds.c 20 Oct 2019 16:18:36 - 1.9
+++ ldomd/ds.c 28 Nov 2019 06:01:21 -
@@ -27,7 +27,7 @@
#include
#include "ds.h"
-#include "util.h"
+#include "ldom_util.h"
void ldc_rx_ctrl_vers(struct ldc_conn *, struct ldc_pkt *);
void ldc_rx_ctrl_rtr(struct ldc_conn *, struct ldc_pkt *);
Index: ldomd/ldomd.c
===
RCS file: /cvs/src/usr.sbin/ldomd/ldomd.c,v
retrieving revision 1.9
diff -u -p -r1.9 ldomd.c
--- ldomd/ldomd.c 29 Sep 2019 17:10:00 - 1.9
+++ ldomd/ldomd.c 28 Nov 2019 06:01:21 -
@@ -34,7 +34,7 @@
#include "ds.h"
#include "hvctl.h"
#include "mdesc.h"
-#include "util.h"
+#include "ldom_util.h"
#include "ldomd.h"
TAILQ_HEAD(guest_head, guest) guests;
Index: ldomd/var-config.c
===
RCS file: /cvs/src/usr.sbin/ldomd/var-config.c,v
retrieving revision 1.2
diff -u -p -r1.2 var-config.c
--- ldomd/var-config.c 27 Oct 2012 20:51:42 - 1.2
+++ ldomd/var-config.c 28 Nov 2019 06:01:21 -
@@ -29,7 +29,7 @@
#include "ds.h"
#include "mdesc.h"
-#include "util.h"
+#include "ldom_util.h"
#include "ldomd.h"
void var_config_start(struct ldc_conn *, uint64_t);
Index: ldomctl/Makefile
===
RCS file: /cvs/src/usr.sbin/ldomctl/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- ldomctl/Makefile20 Nov 2019 18:11:28 - 1.10
+++ ldomctl/Makefile28 Nov 2019 05:59:47 -
@@ -8,6 +8,8 @@ PROG= ldomctl
SRCS= ldomctl.c ds.c mdesc.c util.c mdstore.c pri.c config.c parse.y
CFLAGS+=-Wall
CFLAGS+=-I${.CURDIR}/../ldomd -I${.CURDIR}
+LDADD+=-lutil
+DPADD+=${LIBUTIL}
.else
Index: ldomctl/config.c
===
RCS file: /cvs/src/usr.sbin/ldomctl/config.c,v
retrieving revision 1.28
diff -u -p -r1.28 config.c
--- ldomctl/config.c27 Nov 2019 19:54:10 - 1.28
+++ ldomctl/config.c28 Nov 2019 05:59:01 -
@@ -28,7 +28,7 @@
#include "mdesc.h"
#include "ldomctl.h"
-#include "util.h"
+#include "ldom_util.h"
#define LDC_GUEST 0
#define LDC_HV 1
Index: ldomctl/ldom.conf.5
===
RCS file: /cvs/src/usr.sbin/ldomctl/ldom.conf.5,v
retrieving revision 1.6
diff -u -p -r1.6 ldom.conf.5
--- ldomctl/ldom.conf.5 5 Aug 2019 19:27:47 - 1.6
+++ ldomctl/ldom.conf.5 28 Nov 2019 04:40:53 -
@@ -41,10 +41,11 @@ Declare the number of virtual CPUs assig
Optionally a stride can be specified to allocate additional virtual CPUs
but not assign them to a domain.
This can be used to distribute virtual CPUs over the available CPU cores.
-.It Ic memory Ar number Ns Op Ar unit
+.It Ic memory Ar bytes
Declare the amount of memory assigned to a domain, in bytes.
-Optionally, the units 'K', 'M', or 'G', for kilo-, mega-, and gigabytes
-can be used.
+.Ar bytes
+can be specified with a human-readable scale, using the format described in
+.Xr scan_scaled 3 .
.It Ic iodevice Ar path
Assign the specified PCIe device to the guest domain.
This keyword can be used multiple times.
Index: ldomctl/ldom_util.h
===
RCS file: ldomctl/ldom_util.h
diff -N ldomctl/ldom_util.h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ ldomctl/ldom_util.h 28 Nov 2019 05:59:01 -
@@ -0,0 +1,30 @@
+/* $OpenBSD: util.h,v 1.4 2014/10/15 21:37:27 deraadt Exp $*/
+
+/*
+ * Copyright (c) 2012 Mark Kettenis
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
Re: ldomctl: status: show console device node
On Thu, Nov 28, 2019 at 03:48:04AM +0100, Klemens Nanni wrote: > I've tested this diff on a T4-2 machine with all possible invocations > of `ldomctl status [domain]' and `ldomctl console [domain]': it always > prints and attaches to the correct serial console respectively, whether > I pass an explicit domain or omit it to list all. stsp kindly tested this on a T5220 machine running 6.5-stable where the diff applied except for the usage hunk; both status and console work as expected.
Re: iked: merge host_v{4,6}() into host_ip(), simplify host()
On Thu, Nov 28, 2019 at 09:53:20AM +0100, Tobias Heider wrote: > > voidcopy_satoipa(struct ipsec_addr_wrap *, > > One minor nit: sa in iked usually refers to IPsec security associations, > maybe it would make sense to use "saddr" here? Good point, I'll rename it. > > More tests appreciated. > > Feedback? OK? > > Works for me. ok tobhe@, with or without name change. Great, thanks.
Re: unwind and split-horizon DNS
On Thu, Nov 28, 2019 at 03:26:34PM +0100, Otto Moerbeek wrote:
> Hi,
>
> In many offices, split horizon DNS is used. This means that if you are
> in the office you are supposed to use a specific resolver that will
> hand out different results than when asking for the same name on the
> rest of the internet.
>
> Until now unwind could not really handle that, e.g. in recursing mode,
> it would produce the view as from outside of the office.
>
> With this diff, it becomes possible to force using a specific resolver
> when resolving names in specific domains.
>
> For example, with this unwind.conf:
>
> # Office forwarder
> forwarder 1.2.3.4
> force forwarder {
> myoffice.com
> dmz.colocation.com
> }
>
> This will make unwind always use the mentioned forwarder for anything
> under office.com or dmz.colocation.com. If the forwarder is dead,
> regular resolving is done for these names and www.office.com will
> likely return the external address.
>
> Often split-horizon DNS breaks DNSSEC for these specific domains. If
> that is the case, you can use
>
> force acceptbogus forwarder {
> ...
> }
>
> please test this,
>
> -Otto
>
> OAIndex: frontend.c
Dont know hwre that OA is comming from. But it confuses patch, making
it skip first part of the diff. Proper diff below:
-Otto
Index: frontend.c
===
RCS file: /cvs/src/sbin/unwind/frontend.c,v
retrieving revision 1.40
diff -u -p -r1.40 frontend.c
--- frontend.c 27 Nov 2019 17:09:12 - 1.40
+++ frontend.c 28 Nov 2019 14:24:17 -
@@ -336,6 +336,7 @@ frontend_dispatch_main(int fd, short eve
case IMSG_RECONF_BLOCKLIST_FILE:
case IMSG_RECONF_FORWARDER:
case IMSG_RECONF_DOT_FORWARDER:
+ case IMSG_RECONF_FORCE:
imsg_receive_config(&imsg, &nconf);
break;
case IMSG_RECONF_END:
Index: parse.y
===
RCS file: /cvs/src/sbin/unwind/parse.y,v
retrieving revision 1.20
diff -u -p -r1.20 parse.y
--- parse.y 28 Nov 2019 10:02:44 - 1.20
+++ parse.y 28 Nov 2019 14:24:17 -
@@ -90,8 +90,9 @@ struct sockaddr_storage *host_ip(const c
typedef struct {
union {
- int64_t number;
- char*string;
+ int64_t number;
+ char*string;
+ struct force_treeforce;
} v;
int lineno;
} YYSTYPE;
@@ -101,12 +102,13 @@ typedef struct {
%token INCLUDE ERROR
%token FORWARDER DOT PORT
%token AUTHENTICATION NAME PREFERENCE RECURSOR DHCP STUB
-%token BLOCK LIST LOG
+%token BLOCK LIST LOG FORCE ACCEPTBOGUS
%token STRING
%token NUMBER
-%typeyesno port dot prefopt log
+%typeyesno port dot prefopt log acceptbogus
%typestring authname
+%type force_list
%%
@@ -117,6 +119,7 @@ grammar : /* empty */
| grammar uw_pref '\n'
| grammar uw_forwarder '\n'
| grammar block_list '\n'
+ | grammar force '\n'
| grammar error '\n'{ file->errors++; }
;
@@ -311,6 +314,63 @@ dot: DOT { $$ =
DOT; }
log: LOG { $$ = 1; }
| /* empty */ { $$ = 0; }
;
+
+force : FORCE acceptbogus prefopt '{' force_list optnl '}' {
+ struct force_tree_entry *n, *nxt;
+ int error = 0;
+
+ for (n = RB_MIN(force_tree, &$5); n != NULL;
+ n = nxt) {
+ nxt = RB_NEXT(force_tree, &conf->force, n);
+ n->acceptbogus = $2;
+ n->type = $3;
+ RB_REMOVE(force_tree, &$5, n);
+ if (RB_INSERT(force_tree, &conf->force,
+ n)) {
+ yyerror("%s already in an force "
+ "list", n->domain);
+ error = 1;
+ }
+ }
+ if (error)
+ YYERROR;
+ }
+ ;
+
+acceptbogus: ACCEPTBOGUS { $$ = 1; }
+ | /* empty */ { $$ = 0; }
+ ;
+
+force_list:force_list optnl STRING {
+ struct force_tree_entry *e;
+ size_t len;
+
+ len = strlen($3);
+ e = malloc(sizeof(*e));
+ if (e == NULL)
+ err(1, NULL)
unwind and split-horizon DNS
Hi,
In many offices, split horizon DNS is used. This means that if you are
in the office you are supposed to use a specific resolver that will
hand out different results than when asking for the same name on the
rest of the internet.
Until now unwind could not really handle that, e.g. in recursing mode,
it would produce the view as from outside of the office.
With this diff, it becomes possible to force using a specific resolver
when resolving names in specific domains.
For example, with this unwind.conf:
# Office forwarder
forwarder 1.2.3.4
force forwarder {
myoffice.com
dmz.colocation.com
}
This will make unwind always use the mentioned forwarder for anything
under office.com or dmz.colocation.com. If the forwarder is dead,
regular resolving is done for these names and www.office.com will
likely return the external address.
Often split-horizon DNS breaks DNSSEC for these specific domains. If
that is the case, you can use
force acceptbogus forwarder {
...
}
please test this,
-Otto
OAIndex: frontend.c
===
RCS file: /cvs/src/sbin/unwind/frontend.c,v
retrieving revision 1.40
diff -u -p -r1.40 frontend.c
--- frontend.c 27 Nov 2019 17:09:12 - 1.40
+++ frontend.c 28 Nov 2019 14:24:17 -
@@ -336,6 +336,7 @@ frontend_dispatch_main(int fd, short eve
case IMSG_RECONF_BLOCKLIST_FILE:
case IMSG_RECONF_FORWARDER:
case IMSG_RECONF_DOT_FORWARDER:
+ case IMSG_RECONF_FORCE:
imsg_receive_config(&imsg, &nconf);
break;
case IMSG_RECONF_END:
Index: parse.y
===
RCS file: /cvs/src/sbin/unwind/parse.y,v
retrieving revision 1.20
diff -u -p -r1.20 parse.y
--- parse.y 28 Nov 2019 10:02:44 - 1.20
+++ parse.y 28 Nov 2019 14:24:17 -
@@ -90,8 +90,9 @@ struct sockaddr_storage *host_ip(const c
typedef struct {
union {
- int64_t number;
- char*string;
+ int64_t number;
+ char*string;
+ struct force_treeforce;
} v;
int lineno;
} YYSTYPE;
@@ -101,12 +102,13 @@ typedef struct {
%token INCLUDE ERROR
%token FORWARDER DOT PORT
%token AUTHENTICATION NAME PREFERENCE RECURSOR DHCP STUB
-%token BLOCK LIST LOG
+%token BLOCK LIST LOG FORCE ACCEPTBOGUS
%token STRING
%token NUMBER
-%typeyesno port dot prefopt log
+%typeyesno port dot prefopt log acceptbogus
%typestring authname
+%type force_list
%%
@@ -117,6 +119,7 @@ grammar : /* empty */
| grammar uw_pref '\n'
| grammar uw_forwarder '\n'
| grammar block_list '\n'
+ | grammar force '\n'
| grammar error '\n'{ file->errors++; }
;
@@ -311,6 +314,63 @@ dot: DOT { $$ =
DOT; }
log: LOG { $$ = 1; }
| /* empty */ { $$ = 0; }
;
+
+force : FORCE acceptbogus prefopt '{' force_list optnl '}' {
+ struct force_tree_entry *n, *nxt;
+ int error = 0;
+
+ for (n = RB_MIN(force_tree, &$5); n != NULL;
+ n = nxt) {
+ nxt = RB_NEXT(force_tree, &conf->force, n);
+ n->acceptbogus = $2;
+ n->type = $3;
+ RB_REMOVE(force_tree, &$5, n);
+ if (RB_INSERT(force_tree, &conf->force,
+ n)) {
+ yyerror("%s already in an force "
+ "list", n->domain);
+ error = 1;
+ }
+ }
+ if (error)
+ YYERROR;
+ }
+ ;
+
+acceptbogus: ACCEPTBOGUS { $$ = 1; }
+ | /* empty */ { $$ = 0; }
+ ;
+
+force_list:force_list optnl STRING {
+ struct force_tree_entry *e;
+ size_t len;
+
+ len = strlen($3);
+ e = malloc(sizeof(*e));
+ if (e == NULL)
+ err(1, NULL);
+ if (strlcpy(e->domain, $3, sizeof(e->domain)) >=
+ sizeof(e->domain)) {
+ yyerror("force %s too long", $3);
+ free($3);
+ YYERROR;
+
Re: drmbackoff
On Wed, Nov 27, 2019 at 05:18:32PM +0100, Mark Kettenis wrote:
> The inteldrm(4) driver keeps a cache of graphics objects, allegedly to
> make things faster by avoiding cache flushes. But those graphics
> objects consume memory that we want to free if we need it for
> something else.
>
> The diff below hooks up the "shrinker" code in inteldrm(4) and calls
> it from the pagedeamon if it thinks it needs to free up memory.
>
> The diff still has some debug printfs such that we can tell that the
> code is actually called.
>
> Please test if you have inteldrm(4), esepcially on machines with
> limited amounts of physical memory.
unregister_shrinker() coming as well?
Here is an additional ttm diff for radeondrm/amdgpu.
Index: dev/pci/drm/ttm/ttm_page_alloc.c
===
RCS file: /cvs/src/sys/dev/pci/drm/ttm/ttm_page_alloc.c,v
retrieving revision 1.16
diff -u -p -r1.16 ttm_page_alloc.c
--- dev/pci/drm/ttm/ttm_page_alloc.c27 Apr 2019 08:10:32 - 1.16
+++ dev/pci/drm/ttm/ttm_page_alloc.c28 Nov 2019 10:37:09 -
@@ -107,9 +107,7 @@ struct ttm_pool_opts {
**/
struct ttm_pool_manager {
struct kobject kobj;
-#ifdef notyet
struct shrinker mm_shrink;
-#endif
struct ttm_pool_optsoptions;
union {
@@ -388,7 +386,6 @@ out:
*
* This code is crying out for a shrinker per pool
*/
-#ifdef notyet
static unsigned long
ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
{
@@ -441,17 +438,13 @@ ttm_pool_shrink_count(struct shrinker *s
return count;
}
-#endif
static int ttm_pool_mm_shrink_init(struct ttm_pool_manager *manager)
{
-#ifdef notyet
manager->mm_shrink.count_objects = ttm_pool_shrink_count;
manager->mm_shrink.scan_objects = ttm_pool_shrink_scan;
manager->mm_shrink.seeks = 1;
return register_shrinker(&manager->mm_shrink);
-#endif
- return 0;
}
static void ttm_pool_mm_shrink_fini(struct ttm_pool_manager *manager)
Re: iked: merge host_v{4,6}() into host_ip(), simplify host()
> void copy_satoipa(struct ipsec_addr_wrap *, One minor nit: sa in iked usually refers to IPsec security associations, maybe it would make sense to use "saddr" here? > More tests appreciated. > Feedback? OK? Works for me. ok tobhe@, with or without name change.
